Question about spam issue

[killmasta93]

Hi
Currently i was wondering if someone could shed some light on the issue im having,

were getting an odd email constantly but whats weird is that on the same day it blocks the email and also lets it go though

This were the logs that blocked it and right below it let it pass though

Aug 29 11:32:38 mail postfix/smtpd[31931]: connect from ijjihwxb.enstuff.com[85.217.145.71]
Aug 29 11:32:39 mail postfix/smtpd[31931]: Anonymous TLS connection established from ijjihwxb.enstuff.com[85.217.145.71]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 29 11:32:40 mail postfix/smtpd[31931]: 0CA433C08AB: client=ijjihwxb.enstuff.com[85.217.145.71]
Aug 29 11:32:40 mail postfix/cleanup[32136]: 0CA433C08AB: info: header From: Lavandula <eli.bea@enstuff.com> from ijjihwxb.enstuff.com[85.217.145.71]; from=<eli.bea@enstuff.com> to=<servicioalcliente@mydomain.com> proto=ESMTP helo=<ijjihwxb.enstuff.com>
Aug 29 11:32:40 mail postfix/cleanup[32136]: 0CA433C08AB: info: header To: servicioalcliente@mydomain.com from ijjihwxb.enstuff.com[85.217.145.71]; from=<eli.bea@enstuff.com> to=<servicioalcliente@mydomain.com> proto=ESMTP helo=<ijjihwxb.enstuff.com>
Aug 29 11:32:40 mail postfix/cleanup[32136]: 0CA433C08AB: info: header Subject: Password for servicioalcliente@mydomain.com expires Today 8/29/2022 6:32:33 p.m. from ijjihwxb.enstuff.com[85.217.145.71]; from=<eli.bea@enstuff.com> to=<servicioalcliente@mydomain.com> proto=ESMTP helo=<ijjihwxb.enstuff.com>
Aug 29 11:32:40 mail postfix/cleanup[32136]: 0CA433C08AB: message-id=<20220829183233.BB880CC6FDC80881@enstuff.com>
Aug 29 11:32:40 mail postfix/qmgr[1535]: 0CA433C08AB: from=<eli.bea@enstuff.com>, size=8930, nrcpt=1 (queue active)
Aug 29 11:32:40 mail pmg-smtp-filter[31960]: 3C11D2630CEA2866D7B: new mail message-id=<20220829183233.BB880CC6FDC80881@enstuff.com>#012
Aug 29 11:32:40 mail pmg-smtp-filter[31960]: 3C11D2630CEA2866D7B: virus detected: Sanesecurity.Phishing.Fake.28309.UNOFFICIAL (clamav)
Aug 29 11:32:40 mail postfix/smtpd[31931]: disconnect from ijjihwxb.enstuff.com[85.217.145.71] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug 29 11:32:41 mail pmg-smtp-filter[31960]: 3C11D2630CEA2866D7B: SA score=4/5 time=1.479 bayes=1.00 autolearn=no autolearn_force=no hits=AWL(-3.190),BAYES_99(3.5),BAYES_999(0.2),DCC_CHECK(1.1),DCC_REPUT_95_98(1),DIGEST_MULTIPLE(0.293),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FSL_BULK_SIG(0.001),HTML_MESSAGE(0.001),KAM_SHORT(0.001),MIME_HTML_ONLY(0.1),PYZOR_CHECK(1.392),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01)
Aug 29 11:32:42 mail pmg-smtp-filter[31960]: 3C11D2630CEA2866D7B: notify <myuser@mydomain.com> (rule: Block Viruses, 003073C19F2)
Aug 29 11:32:42 mail pmg-smtp-filter[31960]: 3C11D2630CEA2866D7B: moved mail for <servicioalcliente@mydomain.com> to virus quarantine - 3C19F6630CEA2A070DD (rule: Block Viruses)
Aug 29 11:32:42 mail pmg-smtp-filter[31960]: 3C11D2630CEA2866D7B: processing time: 1.65 seconds (1.479, 0.044, 0)
Aug 29 11:32:42 mail postfix/lmtp[30840]: 0CA433C08AB: to=<servicioalcliente@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.5, delays=0.81/0/0/1.7, dsn=2.5.0, status=sent (250 2.5.0 OK (3C11D2630CEA2866D7B))
Aug 29 11:32:42 mail postfix/qmgr[1535]: 0CA433C08AB: removed

Aug 29 15:55:13 mail postfix/smtpd[15334]: connect from unknown[85.217.145.71]
Aug 29 15:55:14 mail postfix/smtpd[15334]: Anonymous TLS connection established from unknown[85.217.145.71]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 29 15:55:14 mail postfix/smtpd[15334]: EF0E83C174B: client=unknown[85.217.145.71]
Aug 29 15:55:15 mail postfix/cleanup[14810]: EF0E83C174B: info: header From: xxxx Administrator <eli.bea@enstuff.com> from unknown[85.217.145.71]; from=<eli.bea@enstuff.com> to=<myuser@mydomain.com> proto=ESMTP helo=<ijjihwxb.enstuff.com>
Aug 29 15:55:15 mail postfix/cleanup[14810]: EF0E83C174B: info: header To: myuser@mydomain.com from unknown[85.217.145.71]; from=<eli.bea@enstuff.com> to=<myuser@mydomain.com> proto=ESMTP helo=<ijjihwxb.enstuff.com>
Aug 29 15:55:15 mail postfix/cleanup[14810]: EF0E83C174B: info: header Subject: Important Update: Verify Your Mailbox from unknown[85.217.145.71]; from=<eli.bea@enstuff.com> to=<myuser@mydomain.com> proto=ESMTP helo=<ijjihwxb.enstuff.com>
Aug 29 15:55:15 mail postfix/cleanup[14810]: EF0E83C174B: message-id=<20220829135510.F887F29C97589BD7@enstuff.com>
Aug 29 15:55:15 mail postfix/qmgr[1535]: EF0E83C174B: from=<eli.bea@enstuff.com>, size=12893, nrcpt=1 (queue active)
Aug 29 15:55:15 mail pmg-smtp-filter[15429]: 3C19FF630D27B35D603: new mail message-id=<20220829135510.F887F29C97589BD7@enstuff.com>#012
Aug 29 15:55:15 mail postfix/smtpd[15334]: disconnect from unknown[85.217.145.71] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug 29 15:55:17 mail pmg-smtp-filter[15429]: 3C19FF630D27B35D603: SA score=2/5 time=1.847 bayes=0.50 autolearn=no autolearn_force=no hits=AWL(-0.884),BAYES_50(0.8),DCC_CHECK(1.1),DCC_REPUT_90_94(0.6),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),RDNS_NONE(0.793),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01)
Aug 29 15:55:17 mail postfix/smtpd[15325]: connect from localhost.localdomain[127.0.0.1]
Aug 29 15:55:17 mail postfix/smtpd[15325]: 5C2853C1D32: client=localhost.localdomain[127.0.0.1], orig_client=unknown[85.217.145.71]
Aug 29 15:55:17 mail postfix/cleanup[13215]: 5C2853C1D32: message-id=<20220829135510.F887F29C97589BD7@enstuff.com>
Aug 29 15:55:17 mail pmg-smtp-filter[15429]: 3C19FF630D27B35D603: accept mail to <myuser@mydomain.com> (5C2853C1D32) (rule: default-accept)
Aug 29 15:55:17 mail postfix/smtpd[15325]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Aug 29 15:55:17 mail pmg-smtp-filter[15429]: 3C19FF630D27B35D603: processing time: 2.088 seconds (1.847, 0.067, 0)
Aug 29 15:55:17 mail postfix/lmtp[15209]: EF0E83C174B: to=<myuser@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=3, delays=0.91/0/0/2.1, dsn=2.5.0, status=sent (250 2.5.0 OK (3C19FF630D27B35D603))
Aug 29 15:55:17 mail postfix/qmgr[1535]: EF0E83C174B: removed
Aug 29 15:55:17 mail postfix/qmgr[1535]: 5C2853C1D32: from=<eli.bea@enstuff.com>, size=14209, nrcpt=1 (queue active)
Aug 29 15:55:17 mail postfix/smtp[12264]: 5C2853C1D32: to=<myuser@mydomain.com>, relay=192.168.3.170[192.168.3.170]:27, delay=0.31, delays=0.24/0/0.05/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 98C44393692E)
Aug 29 15:55:17 mail postfix/qmgr[1535]: 5C2853C1D32: removed

what i dont understand how they got all my emails to send this massive

the raw email

https://pastebin.com/kJkWgm6j

 

[Stoiko Ivanov]

The first mail was caught by a Sane Security ClamAV signature - the second wasn't - maybe the mail was slightly different and did not trigger the signature

what i dont understand how they got all my emails to send this massive

this sounds odd - if they have a list of all of your e-mail-addresses - I would check if you've leaked them somewhere?

 

[killmasta93]

thanks for the reply, yeah thats what is odd not sure how they knew the email address

could it be because i have Verify receivers?
whats even more odd is that i have avast, sanesecurity, and securite not sure what else i can add to make the filters better?
Thank you

 

[Stoiko Ivanov]

could it be because i have Verify receivers?

not really likely - while it is possible for anyone to enumerate the valid e-mail addresses this way - you would have noticed if someone tried
(the logs would be full of mails rejected due to recipient verification not finding the recipient...)

 

[killmasta93]

so from what i showed is there any more recommendation i can add or to secure? i also use this guide https://github.com/killmasta93/tutorials/wiki/PMG-Harden but not sure what else i can add
Thank you